Look up and validate DKIM signing records for any domain. Verify key type, key size, testing mode, and check BIMI brand indicators.
DKIM (DomainKeys Identified Mail) is an email authentication protocol defined in RFC 6376. It allows a mail server to attach a cryptographic signature to outgoing messages. The signature is stored in a DKIM-Signature header and covers the message body and selected headers.
When a receiving mail server gets the message, it extracts the domain and selector from the DKIM-Signature header, queries DNS for the public key at selector._domainkey.domain.com, and verifies the signature. A valid signature confirms the message came from an authorized server and was not modified after signing.
DKIM is one of the three pillars of email authentication, alongside SPF and DMARC. DMARC policy enforcement requires either SPF or DKIM alignment to pass. Without valid DKIM, your domain is vulnerable to spoofing and phishing attacks.
DKIM uses asymmetric cryptography. The private key is stored on your mail server and used to sign outgoing messages. The public key is published in DNS as a TXT record and used by receivers to verify signatures. You never share the private key — only the public key is in DNS.
The DKIM DNS record is a TXT record containing structured tags. The p= tag holds the base64-encoded public key. The k= tag specifies the algorithm (rsa or ed25519). The optional t=y flag marks the record as being in testing mode.
The security of an RSA DKIM key depends entirely on its size. In 2012, researchers exposed that Hotmail, Google, Yahoo, and others were using 512-bit keys that could be factored within 72 hours. This prompted a broad migration to 1024-bit keys. However, 1024-bit RSA is now within reach of well-resourced attackers and should be replaced.
Factored in minutes. Replace immediately.
Below current standards. Replace soon.
Current minimum recommendation.
Very strong. May exceed DNS record size limits.
Modern standard. Compact and fast.
Each email platform uses its own default DKIM selector. Knowing your platform lets you look up the correct record. This tool auto-probes common selectors when you search without specifying one.
googleselector1, selector2amazon (varies)k1, k2s1, s2proofpoint (varies)BIMI (Brand Indicators for Message Identification) is an emerging standard that allows brands to display their logo in the email client inbox next to authenticated messages. Gmail, Apple Mail, Yahoo Mail, and Fastmail all support BIMI.
The BIMI record is a TXT record at default._bimi.example.com containing a URL to an SVG logo file. For Gmail, a Verified Mark Certificate (VMC) from DigiCert or Entrust is also required. The logo must be an SVG Tiny 1.2 file with a square viewport. This tool checks for your BIMI record, validates the logo URL, and reports VMC presence.
DKIM is one part of a complete email authentication setup. For full coverage, check your other email DNS records: